Comments on: Open IT Forum: Are you on hacking offense or defense?http://itknowledgeexchange.techtarget.com/itanswers/open-it-forum-are-you-on-hacking-offense-or-defense/
Tue, 26 Sep 2017 16:52:26 +0000hourly1By: Don’t pass the buck: Security policies straight from the community - Enterprise IT Watch Bloghttp://itknowledgeexchange.techtarget.com/itanswers/open-it-forum-are-you-on-hacking-offense-or-defense/#comment-93783
Thu, 30 Jun 2011 13:24:27 +0000#comment-93783[…] setting up a sufficient defense in the case of a successful breach. We threw out the line, and the IT Knowledge Exchange community responded with some priceless opinions and advice. Does your company have a vague security policy or some […]
]]>By: melanieyarbroughhttp://itknowledgeexchange.techtarget.com/itanswers/open-it-forum-are-you-on-hacking-offense-or-defense/#comment-93747
Wed, 29 Jun 2011 18:16:49 +0000#comment-93747This is a lot of great information! Thanks to everyone for sharing. I’ve added everyone’s points so far, but keep the discussion going!

Fantastic interview here with Brian Snow who was the technical director of information assurance for the NSA in the US on this very subject.

Very informative.

]]>By: ekardrishttp://itknowledgeexchange.techtarget.com/itanswers/open-it-forum-are-you-on-hacking-offense-or-defense/#comment-93547
Wed, 22 Jun 2011 18:06:18 +0000#comment-93547As technicians sometimes we get lost in technical solutions to solve every problem that on the surface appears to be technical.

In reality this is a risk analysis problem that needs to be understood and then addressed by management. There are industry standard, business methodologies for auditing and identifying risks within any department including technology groups.

We all know that users inside and outside the organization are going to attempt to breach security. (Whether they mean to or not) Therefore we have to plan that it will happen, and not be surprised afterwards that it did happen. Our job is to devise systems that will keep the 98% of attempts made by amateurs and the ignorant from being effective.

Then plan contingencies for the 2% who we can’t stop from breaking through our security.

Users naturally wander the infrastructure in places they shouldn’t. Most users assume that the technical planners were smart enough to keep them out of the places they shouldn’t be going. If we aren’t that smart, I’d say that we have to shoulder some, if not all of the blame when the front desk secretary notices that he/she has access to the payroll records for the company. Is it a surprise that he/she might take a peek at those records? In my mind it is the IT group that is the problem not the secretary.

But what if we unwittingly do hire a hacker to be our front desk person? Or a group of hackers takes interest in our organization? We need contingency plans. Once the walls have been breached, have we created a new security walls for possible entrance points? Do we know every hole that’s been created in our first security wall, so that we can close it up in the same way a castle drawbridge is raised when there is an attack?

I’ve found that the most technical people in the organization are the most arrogant about their own security risk. It’s been documented in many hacker articles that there are 10 common admin passwords. The two most common admin passwords are still are “Password” and “P@ssw0rd”. 8 out of 10 networks I audit, have given administrative rights to their service accounts. Often the administrative account is also a service account. Most administrators fail to see this as a real problem?

Why are system administrators even running with the system admin account? That should be a backup account locked in a safe. Each system administrator should have their own account so that their activity can be tracked on the network. Password changes need to be enforced on the network, yet most organizations never change the Admin passwords or their service account passwords. Yet how often are these accounts,

A) Given admin rights
B) A common service account password
C) Documented in a spreadsheet that is accessible to the entire IT group.

So if the service account has administrative rights to the entire network, knowing the service account password gives access to the entire network.

A common problem is that changing the system administrator password when the old System administrator leaves, certain applications coincidentally stop working?

Before trying the benevolent hacking route on a system, I will perform an IT audit, security audit and business process audit. I think a benevolent audit is very exciting and demonstrative, but if you know the tactics used by the hacker, it’s just easier and less expensive to just identify the paths the benevolent hacker would take to break in.

Some of the most obvious mistakes I find,

Administrative accounts being used by multiple people
Common knowledge within the organization or IT department of the Admin password
Tracking turned off on corporate data files
Service accounts that are compromised or are the Administrator
No Security Policy documented
No documentation on security groups, policies and/or explicit rites
Inconsistent backups
Poor understanding of router and firewall ports
Only one security wall between the corporate data and the internet

Red flags during the audit
The front desk person knows and shares with me the administrative password for the network.
The manager says, “We trust all our employees, so we don’t need to worry about security.”
No documentation for the security model describing the network data structure
No documentation around the physical topology of the network
No hardware or software inventory on the network
No documentation on the open ports for the router or Firewall
Servers and workstations are months out of date on their security patch levels
Timing errors on the server

In answer to the original question about how companies can avoid being a sitting duck, I’d have to recommend:

A) Continuous auditing within the IT groups. Focusing specifically on corporate requirements, industry best practices, corporate policies and procedures, policies
B) Then reviewing contingency plans in case of failure and security breaches.
C) Finally assigning a “Security” role that focuses specifically on the organization’s security. This role would be responsible for reviewing corporate security policy. As part of that responsibility would continually gather security requirements from departmental stake holders, manage security audits within the organization and maintain a discussion around these issues within the entire business organization.

]]>By: erroneousgianthttp://itknowledgeexchange.techtarget.com/itanswers/open-it-forum-are-you-on-hacking-offense-or-defense/#comment-93490
Tue, 21 Jun 2011 15:10:50 +0000#comment-93490I would have to agree with Chippy088 in that the weakest link is often the user, but as administrators of the environment (not just the network) it is our responsability to either put in place means of preventing users from putting the company at more than accepted risks or to educate the users about the risks.

Users trawling around random sites and upper management making poor decisions can only sholder blame so far.

The IT team are just as responsible for any breach by either not verify security properly, not having the correct security in place, or not shouting loudly enough if it’s not in place.

The kicker is when you have shouted enough and you are purchasing the equipment….. and then get hit (this happened to friend of mine in Sydney a year or so ago).

]]>By: chippy088http://itknowledgeexchange.techtarget.com/itanswers/open-it-forum-are-you-on-hacking-offense-or-defense/#comment-93485
Tue, 21 Jun 2011 13:48:50 +0000#comment-93485Most times the weakest link is the user. Because they think you have the system well protected, they don’t care where they browse, or what they download. They are, in the main, non technical, and think it’s covered, or have not been made aware of the dangers. The attitude being, I haven’t had a problem at home, so what harm can it do. I have seen many small companies who regard the user as a minor consideration when making security decisions.

Social networks are a source of back door entry points into companies, that are now raising their public profile, by joining them to advertise free to a larger wider audience. Once users, within the company can log in, (to see the latest company advertising,) they will get tempted to wander. Finances make that decision, and the techies have to make it happen.

Aggressive methods are also needed.

Company policy should consider penetration testing methods. If it is done within the company, cost could be kept to a minimum. Many of us IT types have a big interest in it, and keep up to date on the method hackers used.

It is a fine line between poacher and gamekeeper, and the gamekeeper can only do his job by knowing what the poacher is up to.

just because something has a very low probability of happening doesn’t mean it won’t be catastrophic when it does eventually happen.

The key to security is realising that a hacker/attacker isn’t looking for anything you’ve done right, they just need the one thing you’ve done wrong. Even if it’s a small thing it can be enough to socially engineer more errors or access.

1 tiny low risk hole in security isn’t the end of the world but 3 or 4 are because cumlatively they become a large stack-o-fail.